On 10 February 2026, the Commission unconditionally approved Alphabet’s USD 32 billion acquisition of Wiz, a cloud security firm whose multi-cloud platform operates across Google Cloud, AWS, Microsoft Azure, and Oracle Cloud. The deal almost did not happen: Wiz rejected an earlier USD 23 billion offer from Google, citing its intention to go public instead. Google returned nine months later with an offer that proved difficult to refuse, suggesting that Wiz’s strategic value to Google is considerable. This post considers two aspects of the clearance: whether the Commission’s Phase I clearance was appropriate in light of the broader context of the acquisition, and the jurisdictional route by which the Commission acquired competence to review the transaction.
Was unconditional approval the right call?
Whilst the full decision has not yet been published, the Commission’s press release offers some insight into the reasoning behind the unconditional clearance. In effect, the Commission considered there to be strong competitive pressure on the Google Cloud Platform in the cloud infrastructure market from AWS and Azure and found that credible alternatives to Wiz exist to which customers could switch in the event that Wiz’s compatibility with rival cloud platforms is diminished following the acquisition.
That the transaction does not raise concerns warranting prohibition is not implausible on these grounds. Whether unconditional clearance at Phase I was appropriate is less clear. A coalition of civil society organisations, including the Open Markets Institute, SOMO, and the Balanced Economy Project, argued that a Phase I review was insufficient to capture the competitive risks at stake and urged the Commission to open a Phase II investigation. Without the full decision, it is not possible to assess whether the Commission engaged with these concerns. What can be examined is how the acquisition looks when placed in the context of Google’s broader cloud security acquisitions and the effects this may have on competition and investment incentives in the market.
Wiz is not the first acquisition Google has made in the cloud security space. It acquired Chronicle in 2019 and Siemplify and Mandiant in 2022. With Wiz, Google has assembled a cloud security platform providing customers with integrated capabilities spanning threat intelligence, threat detection, incident response, and exposure assessment. As cloud security and compliance burdens become increasingly important factors in choosing a cloud infrastructure provider, this series of acquisitions positions Google to offer a solution that increases the attractiveness of its cloud offering relative to rivals in both cloud infrastructure and cloud security markets, particularly if the assembled platform is more deeply integrated with Google Cloud than with competing providers (Van den Boom & Samranchit, 2022).
The Commission’s finding that credible alternatives exist and that customers retain the ability to switch may hold for Wiz as a standalone product, though even this is contested by the coalition’s submission on the grounds that switching costs between cloud security providers are operationally and financially substantial and that Google’s commitment to maintain interoperability is unlikely to survive the strategic incentive to gradually align Wiz’s development priorities with Google Cloud. It is less clear when the question is not whether customers can replace Wiz but whether they can replace the integrated platform that Google has assembled through its serial acquisitions.
So too is the question of what is lost when a cloud-neutral provider of this significance is removed from the market. Wiz’s independence was commercially viable: it was credibly pursuing an IPO before Google returned with an offer sufficient to change the calculus. That Google had to exceed what Wiz expected to achieve independently tells us something about the strategic value of Wiz’s position as an independent layer operating across rival cloud environments. With the acquisition, that position ceases to exist.
The effects are unlikely to be confined to the merging parties. With an important cloud-neutral innovator absorbed into Google’s ecosystem and Google now positioned to offer a complete security stack, the space for an independent challenger to emerge with a comparable offering narrows. The acquisition also sends a signal to the venture capital community. That Wiz’s valuation apparently outweighed its IPO ambitions tells venture capitalists that the most profitable exit in cloud security runs through the incumbents. Funding is likely to flow toward startups that fill gaps in the offerings of Google, AWS, or Azure, particularly if the latter two pursue acquisitions of their own, rather than toward those building independent alternatives, which lack the scale to offer a comparable integrated platform. The very competition between hyperscalers that the Commission relied on to clear the deal may itself channel investment toward sustaining their positions rather than challenging them.
This dynamic may not stop at cloud security. Cloud infrastructure is surrounded by adjacent layers in which independent providers currently operate across multiple cloud environments, including data analytics, database management, observability, and AI development tools, several of which Google is already well-positioned in. If Google pursues a similar acquisition strategy in these markets, the same competitive effects are likely to follow, with independent challengers absorbed and capital redirected toward acquisition-compatible ventures. The cumulative result is an increasingly integrated cloud ecosystem in which Google’s offerings become progressively harder to replicate and to replace.
Given previous serial acquisitions that allowed Google to extend its dominance across adjacent markets, including Google/DoubleClick, the unconditional clearance at Phase I is a surprising outcome. The full decision, once published, will reveal whether the Commission’s analysis engaged with the dynamics outlined above or whether it assessed the acquisition in the narrower terms suggested by the press release. Whether the Commission is in a position to scrutinise such acquisitions at all is, however, a prior question, and one that depends on the jurisdictional framework through which it acquires competence over these transactions.
Another high-profile digital transaction, another referral
Beyond the substantive assessment, the jurisdictional route through which the Commission acquired competence over this transaction is notable in its own right. The acquisition did not meet the EU Merger Regulation’s turnover thresholds that would require Google to notify the Commission. Instead, a USD 32 billion transaction, Google’s largest ever, entered the Commission’s purview only because Google itself requested an upward referral under Article 4(5) of the EU Merger Regulation, which allows merging parties to request Commission review where the transaction is capable of being reviewed under the national competition laws of at least three Member States. In this case, Cyprus, Ireland, and Sweden were capable of reviewing the merger.
This is not the first time the EU Merger Regulation’s thresholds have failed to capture a high-profile digital transaction. The Commission’s prohibition of Booking/eTraveli, on the grounds that Booking could use its dominant position in one market to strengthen its position in an adjacent one, only came about through an Article 4(5) referral. The same is true of Facebook/WhatsApp and Google/DoubleClick. Other transactions have reached the Commission through Article 22, which allows national competition authorities to refer cases directly, as in Adobe/Figma and the now-contested referral of Nvidia/Run:ai. That several of the most consequential merger decisions in the digital sector required a referral mechanism to reach the Commission at all suggests a pattern rather than a one-off case.
As more Member States introduce call-in powers (which allow competition authorities to assert jurisdiction over mergers that do not meet standard notification thresholds), or adopt non-turnover-based thresholds such as the transaction value thresholds in Austria and Germany, the number of transactions capable of being reviewed at the national level will grow, and with it the scope for upward referrals to the Commission under Article 4(5). The breadth of these powers varies considerably (Bagnoli and Faraone, 2025). Ireland, for instance, requires only that the merger have a potential adverse effect on competition, a low bar that brings a wide range of transactions within reach. Other Member States impose additional conditions, such as a turnover de minimis threshold, that limit the exercise of call-in powers to transactions of a certain scale. As these powers expand, the likelihood that any given transaction will be reviewable in at least three Member States increases accordingly. If upward referrals become the rule rather than the exception for high-value digital acquisitions, it is worth asking whether the Commission should revisit the complementary threshold it dismissed in 2021 on the grounds that it would generate too many notifications without competition concerns. A system that routinely depends on national call-in powers to deliver jurisdiction that the Regulation was designed to provide suggests the Regulation itself needs amending.
The Google/Wiz clearance raises two questions. Substantively, the full decision may well address the dynamics discussed above, but the press release suggests an assessment focused on the individual transaction rather than on the platform it completes. Whether a Phase I review was sufficient to engage with the serial acquisition context, the removal of an independent cloud-neutral provider, and the longer-term effects on contestability and investment incentives in the cloud security market is a question the published decision will need to answer. Jurisdictionally, the case reinforces a familiar pattern: the Regulation’s turnover thresholds continue to miss transactions of obvious significance in the digital sector, leaving the Commission dependent on referral mechanisms that were designed as corrective tools rather than as the primary route to jurisdiction. The Google/Wiz clearance will not be the last case to test these limits.
* Pursuant to the ASCOLA Transparency and Disclosure Declaration, the author declares not to have any conflicts of interest to disclose.
